In the state we divide our dollars between personnel (salaries) and operating (software, tools, professional services, et cetera). Our fiscal year runs July 1 to June 30. The total operating budget available for the year was probably around $35K. Our fiscal year runs July 1 through June 30, and $6,000 was what we had left for the year when I started in September.
The question became: how can I make the most impact quickly?
I'm shocked at your budget figures. Are you anticipating more in the future?
We are in the middle of fighting for a budget of between $1.1 and $1.7 million a year. We feel strongly that with that we will be able to implement the first five critical controls. The majority of the other 20 we plan to then implement within a three-year period of time, but we definitely want to keep our operational budget below $2 million a year.
How are you working with such a meager budget now?
For now, our strategy is to do the best with what we've got. We are using existing technologies. For example, application whitelisting. We have Microsoft products in place. It's not a perfect scenario, but there are some other representatives in the NSA (National Security Agency) doing it and we are trying to put it in place with the tools we have.
We are doing a lot with open source and other tools, and features that are already built into our existing software. A lot of this stuff isn't perfect and not as robust as some of the tools that are available, but, for example, Active Directory should keep a good list of the systems that are in your environment. There are other free tools like Nmap that allow you to do fairly robust scans to detect new and rogue systems on your network.
Even in the face of budget restrictions, have you made any significant changes yet worth highlighting?
I'm really pushing my staff to use a risk-based approach even in this deployment. Not all of our agencies are created equally. Some have much more sensitive data than others and we would be silly not to focus on those. It's the same as a persistent attacker who is going to do their homework and know what they are going after. We need to have the same mindset.
One thing that I did when I took over was put a stop on all security products. We were getting different requests for things like Splunk and ArcSight - requests all over the map. I didn't even know what I had yet. So I put a stop on all buying.
Once I did an inventory of all of the security products we owned, and all of the licensing and contract terms, I found we had a lot of shelf ware; things purchased years before that were now not being utilized. Excess licenses were everywhere.
Sign up for CIO Asia eNewsletters.